CI: add repository checks to prevent workflow failures on forks #22349
Conversation
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
ti-chi-bot
bot
added
the
missing-translation-status
|
|
ti-chi-bot
bot
added
the
size/S
Add conditional checks to ensure workflows that require secrets only run on the main pingcap/docs repository. This prevents workflow failures on forks where secrets are unavailable. Affected workflows: - dispatch.yml (DOCS_STAGING) - rebase.yml (REBASE_SECRET_KEY) - ja-full-translation-google.yaml (GCP credentials, DOCS_STAGING) - translation-cron.yml (GCP credentials, DOCS_STAGING) - translation-zh.yaml (LANGLINK credentials) - translation-zh-switch.yaml (LANGLINK credentials) - sync-cloud-zh-toc.yml (GEMINI_API_TOKEN) - sync-doc-pr-zh-to-en.yml (DEEPSEEK_API_TOKEN, GEMINI_API_TOKEN) - media.yml (QINIU credentials) - bot.yaml (repository-specific) - link.yaml (repository-specific)
alastori
force-pushed
the
claude/investigate-gh-actions-fork-errors-rLbn8
branch
from
2f884bf to
ccf386c
Compare
Accepting your suggestion to remove the guard. Since it's workflow_dispatch only, contributors won't accidentally trigger it - they'd need to intentionally run it and configure their own API keys (DEEPSEEK_API_TOKEN, GEMINI_API_TOKEN). Co-authored-by: Grace Cai <[email protected]>
ti-chi-bot
bot
added
lgtm
and removed
needs-1-more-lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiancai The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
qiancai
added
translation/doing
|
@qiancai: You cannot manually add or delete the cherry pick approval state labels, only I and the tursted members have permission to do so. You can approve it in internal platform. DetailsIn response to removing label named approved. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository. |
3 participants
What is changed, added or deleted? (Required)
Add repository checks (
if: github.repository == 'pingcap/docs') to workflows that use secrets, preventing failures when contributors fork the repository.Why
When users fork pingcap/docs, workflows requiring secrets fail because GitHub does not expose repository secrets to forks (a security feature). This causes:
Changes
Added
if: github.repository == 'pingcap/docs'condition to jobs in:dispatch.ymlDOCS_STAGINGrebase.ymlREBASE_SECRET_KEYja-full-translation-google.yamlGCP_KEY,GCP_PROJECT_ID,GCP_GLOSSARY_ID,DOCS_STAGINGtranslation-cron.ymlGCP_KEY,GCP_PROJECT_ID,GCP_GLOSSARY_ID,DOCS_STAGINGtranslation-zh.yamlLANGLINK_ACCESS_KEY,LANGLINK_ACCESS_SECRET,LANGLINK_USERtranslation-zh-switch.yamlLANGLINK_ACCESS_KEY,LANGLINK_ACCESS_SECRET,LANGLINK_USERsync-cloud-zh-toc.ymlGEMINI_API_TOKENsync-doc-pr-zh-to-en.ymlDEEPSEEK_API_TOKEN,GEMINI_API_TOKENmedia.ymlQINIU_ACCESS_KEY,QINIU_SECRET_KEY,QINIU_BUCKET_NAMEbot.yamllink.yamlPattern
This is a standard GitHub Actions pattern for handling fork workflows:
Already used in this repository:
media.yml(733efab)bot.yaml(eb6912e)link.yaml(341a1e2)Used by major open-source projects:
github.repository == 'rust-lang/rust'Validation
Tested on fork (
alastori/tidb-docs):translation-zh.yamlworkflow_dispatchbot.yamlworkflow_dispatchlink.yamlworkflow_dispatchci.yamlpull_requestlink-fail-fast.yamlpull_requestWhich TiDB version(s) do your changes apply to? (Required)
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?